I'm running Splunk Enterprise v7.01 running on Server 2012 R2
Lookups are not working in the Search App or in the Home Monitor App
Following the online Tutorial, I downloaded the sample data from Splunk.
I created a lookup table called prices using the prices.csv included in the download
Sample CSV data looks like this:
productId,product_name,price,sale_price,Code
DB-SG-G01,Mediocre Kingdoms,24.99,19.99,A
DC-SG-G02,Dream Crusher,39.99,24.99,B
FS-SG-G03,Final Sequel,24.99,16.99,C
WC-SH-G04,World of Cheese,24.99,19.99,D
I set the permissions on the prices.csv file to Everyone Read/Write All Apps
I configured a Lookup Definition prices_lookup pointing to the prices.csv file
props.conf
[prices_lookup]
batch_index_query = 0
case_sensitive_match = 1
filename = prices.csv
To test my lookup I run the following Query:
'inputlookup prices' also tried 'inputlookup prices_lookup' and 'inputlookup prices.csv'
All of these queries return no records
What am I doing wrong?
When you ran inputlookup prices
did your search look exactly like that?
inputlookup
is a generating command, and thus must have a leading |
:
| inputlookup prices_lookup
As to which names you can use for the lookup, your transform is named prices_lookup
, and your csv is named prices.csv
, so either of these would work:
| inputlookup prices_lookup
| inputlookup prices.csv
When you ran inputlookup prices
did your search look exactly like that?
inputlookup
is a generating command, and thus must have a leading |
:
| inputlookup prices_lookup
As to which names you can use for the lookup, your transform is named prices_lookup
, and your csv is named prices.csv
, so either of these would work:
| inputlookup prices_lookup
| inputlookup prices.csv
Thank You for the full explanation. Adding the leading pipe did work. I'm getting data back. Thanks
I'm guessing you forgot the leading pipe to run a non-search command: | inputlookup prices_lookup